Starting January 1st, Ontario’s healthcare organizations (all those who are health information custodians) will need to keep track of the following:

Number of incidents where personal health information was stolen

by an internal party

by a stranger

by a ransomware attack or other cyber attack

on an unencrypted portable electronic device

in paper format

Number of incidents where personal health information was lost

due to ransomware attack or other cyber attack

on an unencrypted portable electronic device

in paper format

Number of incidents where personal health information was used without authority

through electronic systems

though paper records

Number of incidents where personal health information was disclosed without authority

through misdirected faxes

through misdirected emails

There are additional details required to capture the number of individuals affected in each category. Check the guidelines for the categories – and just keep track of general numbers of people affected.

NOTE: Privacy breaches should be counted once even if they would otherwise fit multiple categories.